Record of Data Processing Activities under Roima’s Responsibility
Personal data (the “Personal Data”) shall refer to all information concerning an identified or identifiable natural person, as referred to in the EU General Data Protection Regulation (EU 2016/679) (the “GDPR”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, social security number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Roima is considered to be Processor of the Customer’s Personal Data, as in Roima’s capacity as operator of the Customer’s systems for maintenance purposes, Roima’s employees have a technical possibility to view and modify the Customer’s Personal Data.
In the systems supplied by Roima, Personal Data includes, at the very least, the user identifiers, forming one Personal Data register. Some of Roima’s software also allows customers to establish other Personal Data registers, related to, for example, the Customer’s employees or the contact persons of business partners.
2 Record of Processing Activities
2.1 Data Controller
The company that controls and uses the system maintained by Roima and the Personal Data register or registers included in the system (Customer).
2.2 Data Processor
Roima Intelligence Inc. (Roima)
Main office: Upseerinkatu 1, FI-02600 Espoo, Finland
Contact person: The maintenance contact person named by Roima for the Customer.
2.3 Grouping of Processing Activities Performed on Behalf of the Data Controller
Roima processes the Customer’s Personal Data in connection with performing the following work or service requests requested by the Customer or agreed upon with the Customer:
a) Investigation request that concerns or involves the Customer’s Personal Data
b) Error fix that concerns or involves the Customer’s Personal Data
c) Installation and testing of a new feature or software modification that is related to the Customer’s Personal Data
d) Installation and testing of a new version
e) Service or a work performance ordered by the Customer involving the Customer’s Personal Data
The Personal Data in the Customer’s database are viewed, transferred or stored elsewhere only when performing the work requested by the Customer so requires.
The Customer’s Personal Data will not be disclosed to any third parties without the Customer’s written permission. The secure means of transferring Personal Data have been defined in separate instructions.
2.4 Processing by System Supplier
a) User count
Roima calculates the number of system users (active user identifiers) from time to time and compares the verified number of users to the Customer’s user licenses. If the licenses have been defined by user-group, the users are also calculated by user group. To exclude possible overlapping identifiers, individual users might be considered for the Customer’s benefit.
2.5 Transferring of Personal Data to a Third Country or to an International Organization
In principle, Personal Data will not be transferred outside the EU or to international organizations. Should a situation arise where such transfer of Personal Data could be considered, Roima will ask the Customer’s written permission for transferring the data in advance.
2.6 General Description of the Security Measures to Protect the Customer’s Personal Data
Roima’s employees have general confidentiality obligation regarding the Customer’s Personal Data and business information. Roima typically maintains the Customer’s system through remote connections. The information needed for establishing a remote access session are stored so that they can be only accessed with a personal identifier and a password. The remote access information can only be viewed by persons who, due to their role, have a right to access the Customer’s environment. Remote connections are implemented using secure connections.
Separate instructions have been prepared on remote access information and the processing of Customer’s Personal Data, including instructions on the secure transfer of Personal Data.